Monthly Archives: June 2026

Italy Moves to Regulate AI: New Rules on Civil and Criminal Liability

On 10 June 2026, the Italian Council of Ministers approved, in preliminary examination, two draft legislative decrees implementing Law No. 132/2025 and aligning the national framework with Regulation (EU) 2024/1689 (“AI Act”).

This is not the first legislative step taken by the Italian Government on AI. The two decrees follow Bill No. 1146/2024, which later became Law No. 132/2025 and set out the general national framework in the field of artificial intelligence.

The texts are not final yet: they will still be reviewed by the parliamentary committees, the State-Regions Conference and the competent authorities, including the Italian Data Protection Authority. Still, the direction is already clear. For businesses developing, placing on the market or deploying high-risk AI systems, the most relevant developments concern civil, criminal and corporate liability.

Two Decrees, in Brief

The first decree focuses on AI literacy, education and training, as well as on the national competent authorities. It regulates AI in school, university, professional and public administration training, and confirms the prohibition on purely automated decisions concerning hiring, dismissal, changes to the employment relationship and disciplinary sanctions. On governance, the framework is built around AgID, as notifying authority, and ACN, as market surveillance authority and single point of contact with the EU.

The second decree deals with more sensitive uses of AI, including policing, protection of injured parties and liability for high-risk systems. Its approach is to allow AI as a supporting tool, but within a perimeter based on human control, proportionality, traceability and protection of fundamental rights. This post focuses on its civil, criminal and corporate liability provisions.

Civil Liability: Levelling the Playing Field

The second decree strengthens the position of individuals harmed by an AI system. The main issue is informational asymmetry: a claimant will often be unable to reconstruct how the system worked or to prove the causal link between the AI output and the damage suffered.

The proposed response is mainly procedural. It includes access to the system’s technical documentation, a presumption of causation, an alternative venue close to the injured individual’s residence, and the possibility of acting directly against the insurer. Rather than introducing a broad new set of substantive obligations for businesses, the decree appears aimed at making compensation claims more effective, while leaving existing rules on data protection and product liability in place.

Criminal Liability: The New Article 437-bis

On the criminal side, the decree introduces a new Article 437-bis of the Criminal Code, concerning the failure to adopt security measures in high-risk AI systems and their unlawful alteration.

This offence does not punish the use of artificial intelligence as such. It targets human and organisational conduct that makes high-risk AI systems concretely dangerous. In particular, it covers omissions or alterations which, in the design, placing into service or use of such systems, create a concrete danger to primary interests such as life, public safety or State security.

Criminal liability is limited to the most serious cases. Not every technical error or malfunction would be criminally relevant: the conduct must be capable of generating a concrete danger. For the negligent form of the offence, gross negligence is required, which suggests an attempt to avoid over-criminalising technological innovation.

Corporate Liability Under Legislative Decree 231/2001

A further important point concerns the potential extension of liability to entities under Legislative Decree No. 231/2001. The available materials indicate that the new Article 437-bis may also have consequences under the 231 framework, so that liability would not fall only on individuals, but could also involve the organisation benefiting from the development, placing into service or use of a high-risk AI system.

This point should be verified against the final text, particularly as to whether and how Article 437-bis will be included among the predicate offences under Legislative Decree No. 231/2001. In any event, for companies operating with high-risk AI systems, the direction is significant: existing 231 models and internal protocols may need to be reviewed in light of AI-related risks.

In practice, this would mean assessing whether the organisation has adequate safeguards around system security, traceability, human oversight, risk management, incident escalation and controls across the AI lifecycle. As in other areas of 231 liability, the adequacy and effective implementation of the compliance model would be central to mitigating the entity’s exposure.

Why It Matters

The texts may still change before final approval, but the signal for companies is already clear. Businesses should start mapping where high-risk AI systems are developed or deployed, assessing whether existing compliance frameworks adequately cover AI-related risks, and strengthening documentation, oversight and risk management mechanisms.

These steps will be important not only to mitigate potential criminal and corporate liability, but also to respond effectively to civil claims arising from the use of AI systems.

Contributed by Francesco Stagno D’Alcontres

Disclosure Day: Drones in the EU – What’s Flying Above Us (and No, It’s Not Aliens)


With the recent wave of U.S. government declassifications of UFO files – officially referred to as UAPs (Unidentified Aerial Phenomena) – and a new Spielberg film tapping into our fascination with the unknown, the skies have never felt more mysterious. Yet, before looking up in wonder, a more grounded reality emerges: most of what we see overhead is far more explainable. Drones, for instance, are quietly reshaping our airspace – and the European Union has already put in place a comprehensive regulatory framework to govern them.

The Regulatory Framework: Two Regulations, One Clear Sky

Since 2019, two EU regulations have governed the production and operation of Unmanned Aircraft Systems (UAS) across all Member States, ending years of fragmented national rules.

Regulation (EU) 2019/945 – Manufacturing and Market Requirements

This regulation sets out the technical requirements for drones placed on the EU market, introducing a classification system based on maximum take-off mass (MTOM) and operational characteristics:

  1. Class C0 – under 250g; minimal requirements, no Remote ID required
  2. Class C1 – 250g to 900g; Remote ID mandatory, restrictions near populated areas
  3. Class C2 – 900g to 4kg; Remote ID, low-speed mode, geofencing capability required
  4. Class C3 / C4 – up to 25kg; reserved for “Specific” category operations
  5. Class C5 / C6 – designed for advanced operations, including drone swarms and controlled BVLOS flights

All drones must carry CE marking confirming conformity with their class requirements. From Class C1 upwards, every drone must be equipped with Remote ID, i.e. a real-time digital identification system that continuously broadcasts the drone’s unique identifier, position, altitude, speed and the operator’s location. Think of it as a number plate for the sky.

Manufacturers not established in the EU must designate an authorised representative within the Union to ensure compliance.

Regulation (EU) 2019/947 – Operational Rules for Pilots and Operators

This regulation, developed by EASA (the European Union Aviation Safety Agency), governs how drones are actually flown, organising all operations into three categories based on risk level:

Open Category – low-risk flights requiring no prior authorisation. Operations must remain within visual line of sight (VLOS), below 120 metres, and away from gatherings of people. This category is further divided into three subcategories (A1, A2, A3) depending on the drone’s class and its proximity to uninvolved persons. Subcategory A2, for instance, requires pilots to pass a theoretical examination before operating a Class C2 drone near people.

Specific Category – medium-risk operations that generally require either an authorisation from the national competent authority or compliance with a pre-defined Standard Scenario (STS). Authorisations are based on the SORA methodology (Specific Operations Risk Assessment), which helps assess the level of risk involved and determine what safety measures are needed. Two Standard Scenarios are currently available – STS-01 (visual line of sight flights in populated areas) and STS-02 (beyond visual line of sight flights in unpopulated areas). Operators meeting all the conditions of an STS can fly under a simple declaration, without needing individual authorisation.

This category is also where BVLOS operations (Beyond Visual Line of Sight) come in – flights where the drone operates beyond the pilot’s direct visual contact. BVLOS is key to unlocking use cases like long-range infrastructure inspection, medical delivery, and large-scale surveying. These flights typically require either a SORA-based authorisation or compliance with STS-02, and the drone must be equipped with detect-and-avoid capabilities to ensure safe separation from other aircraft.

Certified Category – high-risk operations equivalent in complexity to conventional aviation. Requires full EASA certification of the drone, a formal operator approval, and a licensed pilot. Reserved for operations where a system failure could have catastrophic consequences.

Cross-Cutting Obligations

Regardless of category, all operators must:

  1. Register with their national competent authority (mandatory for drones over 250g or equipped with a camera)
  2. Respect UAS geographical zones defined by each Member State, covering restricted, prohibited, and conditional airspace
  3. Maintain flight logs for all Specific and Certified category operations
  4. Ensure adequate pilot training appropriate to the subcategory or category of operation

The U-Space: Managing the New Low-Altitude Frontier

The two regulations sit within a broader framework that includes the U-Space system, established by Regulation (EU) 2021/664. U-Space is the EU’s digital infrastructure for managing low-altitude air traffic in real time – essentially an air traffic management system for drones. It enables flight authorisation, conflict detection, real-time traffic monitoring and information sharing between operators, authorities, and conventional airspace managers.

U-Space is the critical enabler for large-scale BVLOS operations, and its progressive rollout across Member States is expected to unlock entirely new categories of drone deployment in the coming years.

Why It Matters

Together, these regulations created a single European drone market: harmonised, scalable, and built around safety. For anyone operating drones professionally in Europe, compliance is not optional – it is the foundation of lawful and sustainable operations.

So while the debate on UAPs continues across the Atlantic, Europe has already answered its own version of the question: what’s flying up there, and who’s in charge of it?

The answer, refreshingly, involves neither little green men nor government cover-ups – just well-drafted regulations and a lot of paperwork.